Sponsored by..

Tuesday 3 May 2016

Malware spam: "You Are Fired" leads to Locky

This spam email comes with a malicious attachment.

From:    Elfrida Wymer [WymerElfrida9172@recordshred.com]
Date:    3 May 2016 at 12:40
Subject:    You Are Fired BBF904D

We regret to inform you, yet we no longer need require your services.
Attached you can find additional information and the payout roll for the last month.
It's a bit of a self-fulfilling prophecy. If you are daft enough to download the ZIP file, and extract and run the script then perhaps you WILL get fired.

According to this Malwr report, the twice-obfuscated script in the sample I saw downloads a binary from:

niagara.vn.ua/5wpSRm.exe

This Hybrid Analysis indicates that this is Locky ransomware. The DeepViz report shows network traffic to:

31.184.197.126 (Petersburg Internet Network, Russia)
91.226.93.113 (Sobis, Russia)
91.219.29.64 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)


This is a subset of the IPs found in this earlier spam run, I recommend you block the lot.


1 comment:

DK said...

http://dsntours.com/78TaUb.exe
http://elivo.pl/Y2hNDK.exe
http://tumarketingdiario.com/cE7ZM5.exe

Also spread via emails with subject "1 Unread Message of High Priority"